BAA

Business Associate Agreement

March 2026

This Business Associate Agreement (“BAA”), effective ________, 202 (the “Effective Date”), is entered into by:

Customer:

AND

FaxSIPit Services Inc. (“FSI”)
Suite 113-1150 Station Street
Vancouver, BC V6A 4C7, Canada

99 Wall Street #847
New York, NY 10005, USA

(Each a “Party” and collectively, the “Parties”)

I. Definitions

“Breach,” “Business Associate,” “Covered Entity,” and “Security Incident” have the same meanings given to them under HIPAA.

“DHHS” means the U.S. Department of Health & Human Services.

“HIPAA” means the Health Insurance Portability & Accountability Act, the Health Information Technology for Economic & Clinical Health Act (“HITECH”), and the regulations enacted thereunder (including 45 C.F.R. Parts 160 and 164), each as amended and as applicable.

“PHI” and “Unsecured PHI” mean “protected health information” and “unsecured protected health information,” as those terms are defined under HIPAA, if transmitted via FSI through Customer’s permitted use of the Secured Services.

“Service Agreement” means the FSI Customer Service Agreement in place between Customer and FSI that covers the Secured Services, as may be amended.

“Secured Services” means the internet facsimile services listed in Section II(C) that FSI provides to Customer pursuant to the Service Agreement, but only to the extent that such services are used as permitted and configured in accordance with HIPAA regulations.

“Zero Day Retention” means to remove documents shortly after the transmission to the final destinations occurs.

All other capitalized terms shall have the same meanings as those set forth under HIPAA.

II. Applicability

A. Relationship to Service Agreement

This BAA amends the Service Agreement to govern the Parties’ respective obligations regarding HIPAA and PHI. To the extent there is any conflict or inconsistency between this BAA and the Service Agreement, with regard to matters related to HIPAA, the terms of this BAA will govern. Except as expressly amended by this BAA, the Service Agreement is unchanged and remains in full force and effect.

B. Parties

This BAA only applies to the extent Customer is acting as a Covered Entity or Business Associate to transmit PHI via the Secured Services and where FSI, as a result, is deemed to be acting as Customer’s Business Associate.

C. Services

This BAA only applies to the following Secured Services and no other FSI services:

• SecureFax-ATA (TLS enabled)
• FSI Email to Fax with TLS enabled
• FSI Fax to Email with TLS enabled
• FSI Web to Fax with HTTPS enabled
• FSI DesktopFax (Print-to-Fax Service) with HTTPS enabled
• BYOC Appliance, Integrations, and Applications using RESTful API over HTTPS
• SFTP Fax Retrieval Services

In all instances, the service must be configured in accordance with the settings above to qualify as a Secured Service. All obligations and representations of FSI under this BAA are contingent on Customer’s agreement, representation, and warranty that it will not create, receive, maintain, or transmit PHI using a FSI service other than a Secured Service or another FSI service for which the Parties have entered into a separate HIPAA business associate agreement.

III. Permitted Use & Disclosure

A. By FSI

FSI is authorized to access, use, maintain, and disclose PHI as necessary and appropriate to perform the Secured Services. FSI may also access, use, maintain, and disclose PHI for the proper management and administration of its business operations and to carry out its legal responsibilities, provided that disclosures for such purposes are either required by law or FSI obtains reasonable assurances from parties to whom PHI is disclosed that:

• the PHI will be held in confidence;

• the PHI will be used or further disclosed only as required by law or for the purpose FSI disclosed that PHI; and

• FSI will be notified of any Breach.

FSI agrees not to access, use, maintain, or disclose PHI other than as provided above.

B. By Customer

Except as otherwise permitted under HIPAA, Customer shall not request FSI to use or disclose PHI in a manner that would not be permissible under HIPAA if done by Customer.

With regard to Customer’s management and administration of the Secured Services to its end users, Customer is responsible for using and enforcing the available controls within the Secured Services to support its HIPAA compliance requirements.

Customer agrees that FSI has no HIPAA obligations under this BAA to the extent Customer creates, receives, maintains, or transmits PHI outside of the Secured Services, including through Customer’s use of non-FSI applications or tools.

If Customer wishes to employ Zero Day Retention, Customer agrees to notify FSI and select the appropriate setting, where available, to automatically remove stored documents from the Secured Services promptly after transmission or delivery to the final destination occurs.

C. By Agents & Subcontractors

FSI will take appropriate steps to ensure that any agents and subcontractors used by FSI to perform its obligations under the Service Agreement who create, receive, maintain, or transmit PHI are bound by written obligations that provide materially the same level of restrictions, conditions, and requirements for PHI that apply to FSI through this BAA.

D. Data Location and Encryption

FSI represents that protected health information processed under the Services is stored only within the United States and is encrypted in transit and at rest.

IV. Security & Reporting

A. Appropriate Safeguards

With respect to the Secured Services, FSI and Customer will use appropriate safeguards designed to prevent unauthorized use or disclosure of PHI, consistent with this BAA and as required under HIPAA.

B. Reporting

In compliance with HIPAA, FSI will report to Customer any of the following events of which it becomes aware:

• Any use or disclosure of Unsecured PHI not provided for by this BAA;

• Any Security Incident; and/or

• Any Breach of Unsecured PHI.

Notification shall be made as soon as reasonably practicable, consistent with the legitimate needs of law enforcement and FSI’s efforts to comply with applicable law, and after allowing reasonable time for FSI to investigate the Breach, restore the integrity of its systems and the Secured Services, and mitigate further harm.

C. Accounting Rights

To the extent applicable, FSI will make available to Customer any PHI that Customer maintains using the Secured Services, so that Customer may fulfill its HIPAA obligations to provide individuals with their information access, amendment, and accounting rights.

Customer is responsible for managing its use of the Secured Services to appropriately respond to such requests by individuals.

D. Access to Records

To the extent required by law and subject to any applicable privileges and immunities, FSI will make available to the Secretary of DHHS FSI’s internal practices, books, and records concerning PHI transmitted by Customer through the Secured Services, in order for the Secretary of DHHS to assess HIPAA compliance.

V. Term & Termination

A. Term

The term of this BAA shall commence on the Effective Date and shall continue and terminate contemporaneously with the Service Agreement, unless sooner terminated in accordance with Section V(B) or V(C).

In the event that this BAA is terminated earlier than the Service Agreement, Customer may continue to use the Secured Services in accordance with the Service Agreement but must delete any PHI maintained using the Secured Services and cease to create, receive, maintain, and transmit PHI using the Secured Services.

B. Termination for Cause

In the case of a material breach of this BAA, the non-breaching Party shall provide written notice promptly upon discovery of such breach.

If the breach is not reasonably capable of being cured, the non-breaching Party may terminate this BAA and the Service Agreement ten (10) days after written notice.

If the breach is reasonably capable of being cured, the breaching Party shall be afforded a thirty (30) day opportunity to cure, after which the non-breaching Party may terminate this BAA and the Service Agreement if the breach is not reasonably cured.

C. Other Termination

This BAA may also be terminated if:

(i) the Service Agreement is terminated or amended to no longer cover FSI’s provision of Secured Services to Customer;
(ii) HIPAA is amended or superseded such that an agreement such as this is not required; or
(iii) both Parties mutually agree to terminate this BAA, provided that either a new HIPAA business associate agreement must be put in place or the service relationship between FSI and Customer must terminate in all respects that involve PHI.

D. Destruction upon Termination

Upon termination of this BAA, the Parties shall destroy all PHI associated with Customer that has been maintained on FSI’s systems within a reasonable time.

To the extent destruction is not feasible, FSI will extend the protections of this BAA to the remaining PHI and limit further use and disclosure to the purposes that make destruction infeasible.

VI. General Provisions

A. Amendments

This BAA shall not be modified or amended except by a written agreement signed by both Parties.

The Parties agree to modify or amend this BAA if HIPAA changes in a manner that materially affects the BAA’s terms or the obligations of Covered Entities, Business Associates, or subcontractors.

B. No Third-Party Beneficiaries

This BAA is entered into solely for the benefit of the Parties and has not been entered into for the benefit of any third party, including without limitation, any patients of Customer or their legal representatives.

C. Non-Delegation & Non-Assignment

Except with respect to agents and subcontractors as provided for in Section III(C), this BAA is not assignable or delegable without the advance written consent of the Party not seeking to assign or delegate.

D. Invalidity

If any provision of this BAA is determined by a court of competent jurisdiction to be invalid or unenforceable, this BAA shall be construed as though such invalid or unenforceable provision were omitted, provided that the remainder of this BAA continues to satisfy HIPAA requirements for a business associate agreement.

If it does not, then the Parties shall immediately renegotiate this BAA so that it does comply with HIPAA, or terminate this BAA and the service relationship between FSI and Customer in all respects that involve PHI.

E. Counterparts

This BAA may be executed and delivered in any number of counterparts, each of which when executed and delivered is an original but all of which taken together constitute one and the same instrument.

F. Integration

This BAA contains the entire agreement between the Parties pertaining to HIPAA and PHI, and supersedes all prior understandings, whether written or oral, regarding the same subject matter.